On March 22, the security researcher at Dutch fintech firm VI Company published the report about Coinbase’s flaw. This flaw allows a user to change the Ethereum account balance without restriction.
“By using a smart contract to distribute ether over a set of wallets you can manipulate the account balance of your Coinbase account. If 1 of the internal transactions in the smart contract fails all transactions before that will be reversed. But on Coinbase these transactions will not be reversed, meaning someone could add as much ether to their balance as they want. When you look up the Coinbase wallet address after this transaction you will see that it is empty, but checking your Coinbase wallet will show your funds.”
Fortunately, Coinbase accounts are all verified by real names, and even if someone fishes for fish, they can be detected and tracked by the system. Therefore, even if this loophole exists for a month, it has not been found to be exploited. As a result, Coinbase rewarded the company with $10,000.
VI Company showed the details of how to trigger this flaw:
- Setup a smart contract with a few valid Coinbase wallets and 1 final faulty wallet (always throw an exception when receiving funds smart contract for example)
- Transfer appropriate funds to a smart contract.
- Execute smart contract adding the set amount of ether to the Coinbase wallets without ever actually leaving the smart contract wallet because the complete transaction fails at the last wallet.
- Repeat until you have more than enough ethereum in your Coinbase wallet.
- Cash-outhttps://cryptowisdom.com.au/can-you-have-more-than-one-coinbase-account/, transfer to an off-site wallet
